In-brief: The author argues that the devaluation of traditionally “soft” skills like empathy, communication and collaboration in the information security space may be hampering the ability of IT security teams to respond to human-focused threats and attacks.
Let’s face it: there are not a lot of women in cybersecurity. This is hardly unique to the field—there are lots of male-dominated industries—but what is unique is the threat the lack of women poses to national security. That’s because the gender gap is a symptom, not the cause, of a greater underlying issue: the devaluation of traditionally feminized skills.
“Soft skills,” like empathy, communication, and collaboration are undeniably lacking in the digital security sector. Failing to prioritize these skills—and the people who have them, regardless of gender—perpetuates the frustration we all feel as CISOs and security researchers, CEOs and IT, and especially as end users and engineers. More importantly, however, focusing exclusively on “hard skills” in information security limits our conceptions of security solutions and increases risks to our systems and users.
Monolithic teams are inherently limited in their ability to identify problems and generate new solutions. “Studies have shown that projects that embrace diversity are more successful. It’s a simple truth that people with different life backgrounds and life experiences bring unique perspectives to problem-solving,” says Amie Stepanovich, the U.S. policy manager at Access Now. When we keep hiring technologists to solve problems, we get keep getting technical solutions. Why else would access control still revolve around passwords?
Dr. Sara “Scout” Sinclair Brody is the executive director of Simply Secure, an organization that helps the open-source security community create more user-friendly tools. Too often, she says, security solutions like these don’t account for the human environment in which they will be deployed. “It’s prioritizing a ‘tech first’—not a ‘human first’ or ‘empathy first’—perspective.” This is particularly problematic when you consider that nine times out of ten, social engineering attacks are the best ways to gain access to a system, she adds. (Dual authentication isn’t a very effective tool if you can just call tech support and get their key, now, is it?) “Security software is a process not a product: without the human processes and structures in place to support your security tool, your security tool is worthless.”
This isn’t an unsolvable problem: there are entire fields—like user experience and human-centered design—dedicated to improving the way humans and technology interact. “Shockingly little of that,” says Brody, “has made it into the security domain.”
We think we need “cyber experts” with hard skills because we’ve made cyber hard. It’s not user friendly. It’s easier to have poor cyber hygiene and accidentally cause a breach than it is to intentionally cause one, most of the time. We need some new ideas, some fresh perspectives. But we’ve got to make some changes.
Says Stepanovich, “To truly embrace diversity and the benefits that it can offer… organizations need to root out institutional racism and sexism, from policies like parental leave to ensuring equal pay and advancement opportunities.” And yes, that means that things like “Strip Jeopardy” at DEFCON have got to go. Personally, I think it’s a small price to pay if it will usher in the next generation of user-centric security.
As Director of the National Security Agency and head of U.S. Cyber Command Admiral Mike Rogers has said, “Don’t forget that at the end, you’re dealing with a choice that some human made on a keyboard somewhere.” It’s time to start designing for them.